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Abstract 



Self-stabilization ensures that, after any transient fault, the system recovers in a finite time 
and eventually exhibits. Speculation consists in guaranteeing that the system satisfies its require- 
ments for any execution but exhibits significantly better performances for a subset of executions 
that are more probable. A speculative protocol is in this sense supposed to be both robust and 
efficient in practice. 

We introduce the notion of speculative stabilization which we illustrate through the mutual 
exclusion problem. We then present a novel speculatively stabilizing mutual exclusion protocol. 
Our protocol is self-stabilizing for any asynchronous execution. We prove that its stabilization 
time for synchronous executions is \diam(g)/2~\ steps (where diam{g) denotes the diameter of 
the system). 

This complexity result is of independent interest. The celebrated mutual exclusion protocol 
of Dijkstra stabilizes in n steps (where n is the number of processes) in synchronous executions 
and the question whether the stabilization time could be strictly smaller than the diameter has 
been open since then (almost 40 years). We show that this is indeed possible for any underlying 
topology. We also provide a lower bound proof that shows that our new stabilization time of 
\diam{g)/2] steps is optimal for synchronous executions, even if asynchronous stabilization is 
not required. 

Keywords: Fault-tolerance; Speculation; Self-stabilization; Mutual exclusion. 

1 Introduction 

The speculative approach to distributed computing [HI ESI dSl [T31 E] lies on the inherent trade-of 
between robustness and efficiency. Indeed, we typically require distributed applications to be safe 
and live under various hostile conditions such as asynchronism, faults, attacks, and contention. 
This typically leads to high consumption of system resources, e.g. time of computation, which is 
due to the need to perform synchronizations, redundancies or checking. 

The speculative approach assumes that, even if degraded conditions are indeed possible, they 
are less probable than friendly conditions (for example, synchronous executions without faults). 
The underlying idea is to simultaneously ensure that the protocol is correct whatever the execution 
is (even in degraded conditions) but to optimize it for a subset of executions that are the most 
probable in practice. Even if this idea was applied in various contexts, it has never been applied 
to distributed systems tolerant to transient faults, i.e. self-stabilizing systems [8j. In fact, it was 
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not clear whether self-stabilization and speculation could be even combined because of the specific 
nature of transient faults, for they could corrupt the state of the entire system. The objective of 
this paper is to explore this avenue. 

Self-stabilization was introduced by Dijkstra [8j. Intuitively, a self-stabilizing system ensures 
that, after the end of any transient fault, the system reaches in a finite time, without any external 
help, a correct behavior. In other words, a self-stabilizing system repairs itself from any catastrophic 
state. Since the seminal work of Dijkstra, self-stabilizing protocols were largely studied (see e.g. 
[9ll241[T6]l. The main objective has been to design self-stabilizing systems tolerating asynchronism 
while reducing the stabilization time, i.e., the worst time needed by the protocol to recover a correct 
behavior over all executions of the system. 

Our contribution is twofold. First, we define a new variation of self-stabilization in which the 
main measure of complexity, the stabilization time, is regarded as a function of the adversary and 
not as a single value. Indeed, we associate to each adversary (known as a scheduler or daemon in 
self-stabilization) the worst stabilization time of the protocol over the set of executions captured 
by this adversary. Then, we define a speculatively stabilizing protocol as a protocol that self- 
stabilizes under a given adversary but that exhibits a significantly better stabilization time under 
another (and weaker) adversary. In this way, we ensure that the protocol stabilizes in a large set 
of executions but guarantees efficiency only on a smaller set (the one we speculate more probable 
in practice). For the sake of simplicity, we present our notion of speculative stabilization for two 
adversaries. It could be easily extended to an arbitrary number of adversaries. 

Although the idea of optimizing the stabilization time for some subclass of executions is new, 
some self-stabilizing protocols satisfy (somehow by accident) our definition of speculative stabiliza- 
tion. For example, the Dijkstra's mutual exclusion protocol stabilization time falls to n steps (the 
number of processes) in synchronous executions. The question whether one could do better has 
been open since then, i.e. during almost 40 years. We close the question in this paper through the 
second contribution of this paper. 

Indeed, we present a novel speculatively stabilizing mutual exclusion protocol. We prove that 
its stabilization time for synchronous executions is \diam{g)/2\ steps (where diam{g) denotes the 
diameter of the system), which significantly improves the bound of Dijkstra's protocol. We prove 
that we cannot improve it. Indeed, we present a lower bound result on the stabilization time of 
mutual exclusion for synchronous executions. This result is of independent interest since it remains 
true beyond the scope of speculation and holds even for a protocol that does not need to stabilize 
in asynchronous executions. 

Designing our protocol went through addressing two technical challenges. First, we require 
the stabilization of a global property (the uniqueness of critical section) in a time strictly smaller 
than the diameter of the system, which is counter- intuitive (even for synchronous executions). 
Second, the optimization of the stabilization time for synchronous executions must not prevent the 
stabilization for asynchronous ones. 

The key to addressing both challenges was a "reduction" to clock synchronization: more specif- 
ically, leveraging the self-stabilizing asynchronous unison protocol of [2j within mutual exclusion. 
We show that it is sufficient to choose correctly the clock size and to grant the access to critical 
section upon some clock values to ensure (i) the self-stabilization of the protocol for any asyn- 
chronous execution as well as {ii) the optimality of its stabilization time for synchronous ones. 
This reduction was also, we believe, the key to the genericity of our protocol. Unlike Dijkstra's 
protocol which assumes an underlying ring shaped communication structure, our protocol runs over 
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any communication structure. 

We could derive our lower bound result for synchronous executions based on the observation 
that a process can gather information at most at distance din d steps whatever protocol it executes. 
Hence, in the worst case, it is impossible to prevent two processes from simultaneously entering a 
critical section during the first \diam{g)/2'] steps of all executions with a deterministic protocol. 

The rest of this paper is organized as follows. Section [2] introduces the model and the definitions 
used through the paper. Section[3]presents our notion of speculative stabilization. Section|4]presents 
our mutual exclusion protocol. Section [5] provides our lower bound result. Section [6] ends the paper 
with some perspectives. 

2 Model, Definitions, and Notations 

We consider the classical model of distributed systems introduced by Dijkstra [8J. Processes com- 
municate by atomic reading of neighbors' states and the (asynchronous) adversary of the system is 
captured by an abstraction called daemon. 

Distributed protocol. The distributed system consists of a set of processes that form a commu- 
nication graph. The processes are vertices in this graph and the set of those vertices is denoted by 
V. The edges of this graph are pairs of processes that can communicate with each other. Such pairs 
are neighbors and the set of edges is denoted hy E {E C. V"^). Hence, g = {V, E) is the communica- 
tion graph of the distributed system. Each vertex of g has a set of variables, each of them ranges 
over a fixed domain of values. A state 7(f) of a vertex v is the vector of values of all variables of v 
at a given time. An assignment of values to all variables of the graph is a configuration. The set of 
configurations of g is denoted by T. An action a oi g transitions the graph from one configuration 
to another. The set of actions of g is denoted hy A [A = {(7,7')|7 ^ r,7' G r,7 / 7'})- A 
distributed protocol vr on (7 is defined as a subset of A that gathers all actions of g allowed by vr. 
The set of distributed protocols on g is denoted by H (H = P{A) where, for any set S, P{S) denotes 
the powerset of S). 

Execution. Given a graph g, a distributed protocol vr on g, an execution a of vr on g, starting 
from a given configuration 70, is a maximal sequence of actions of vr of the following form a = 
(7O) 7i)(7i) 72)(72, 73) ■ • •• An execution is maximal if it is either infinite or finite but its last 
configuration is terminal (that is, there exists no actions of vr starting from this configuration). 
The set of all executions of tt on g, starting from all configurations of F, is denoted by S^. 

Adversary (daemon). Intuitively, a daemon is a restriction on the executions of distributed 
protocols to be considered possible. For a distributed protocol vr, at each configuration 7, a subset 
of vertices are enabled, that is there exists an action of vr that modifies their state (formally, 
37' E F, (7,7') S 7r,7(t') 7^ 7'(^^))- The daemon then chooses one of the possible action of tt 
starting from 7 (and hence, selects a subset of enabled vertices that are allowed to modify their 
state during this action). A formal definition follows. 

Definition 1 (Daemon). Given a graph g, a daemon d on g is a function that associates to each 
distributed protocol ir on g a subset of executions of n, that is d : n £ll 1 — > d{TT) G P(S^). 
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Given a graph g, a daemon d on g and a distributed protocol vr on g(, an execution a of it 
{a £ Stt) is allowed by d if and only if cj G d{-K). Also, given a graph g, a daemon d on g and a 
distributed protocol vr on we say that vr runs on g under d if we consider that the only possible 
executions of tt on g are those allowed by d. 

Some classical examples of daemons follow. The unfair distributed daemon [19] (denoted by 
ud) is the less constrained one because we made no assumption on its choices (any execution of 
the distributed protocol is allowed). The synchronous daemon [15j (denoted by sd) is the one that 
selects all enabled vertices in each configuration. The central daemon |8j (denoted by cd) selects 
only one enabled vertex in each configuration. 

This way of viewing daemons as a set of possible executions (for a particular graph g) drives 
a natural partial order over the set of daemons. For a particular graph g, a daemon d is more 
powerful than another daemon d' if all executions allowed by d' are also allowed by d. Overall, d 
has more scheduling choices than d' . A more precise definition follows. 

Definition 2 (Partial order over daemons). For a given graph g, we define the following partial 
order =^ on D: \/{d,d') G P, d ^ d' <^ (Vvr E 11, (i(7r) C d'lir)). If two daemons d and d' satisfy 
d =^ d' , we say that d' is more powerful than d. 

For example, the unfair distributed daemon is more powerful than any daemon (in particular 
the synchronous one) . Note that some daemons (for example the synchronous and the central ones) 
are not comparable. For a more detailed discussion about daemons, the reader is referred to |10j . 

Further notations. Given a graph g and a distributed protocol vr on g, we introduce the following 
set of notations. First, n denotes the number of vertices of the graph whereas m denotes the number 
of edges (n = \V\ and m = \E\). The set of neighbors of a vertex v is denoted by neig{v). The 
distance between two vertices u and v (that is, the length of a shortest path between u and v in g) 
is denoted by dist{g,u,v). The diameter of g (that is, the maximal distance between two vertices 
of g) is denoted by diam{g). For any execution e = (70, 7i)(7i, 72) . . •, we denote by the prefix 
of e of length i (that is = (70, 7i)(7ii 72) • • • (7i-i:7i))- 

Guarded representation of distributed protocols. For the sake of clarity, we do not describe 
distributed protocols by enumerating all their actions. Instead, we represent distributed protocols 
using a local description of actions borrowed from [$J. Each vertex has a local protocol consisting 
of a set of guarded rules of the following form: < label > :: < guard > — > < action >. 
< label > is a name to refer to the rule in the text. < guard > is a predicate that involves variables 
of the vertex and of its neighbors. This predicate is true if and only if the vertex is enabled in the 
current configuration. We say that a rule is enabled in a configuration when its guard is evaluated 
to true in this configuration. < action > is a set of instructions modifying the state of the vertex. 
This set of instructions must describe the changes of the vertex state if this latter is activated by 
the daemon. 



Self-stabilization. Intuitively, to be self-stabilizing |8j, a distributed protocol must satisfy the 
two following properties: (i) closure, that is there exists some configuration from which any exe- 
cution of the distributed protocol satisfies the specification; and (ii) convergence, that is starting 
from any arbitrary configuration, any execution of the distributed protocol reaches in a finite time 
a configuration that satisfies the closure property. 
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Self-stabilization induces fault-tolerance since the initial configuration of the system may be 
arbitrary because of a burst of transient faults. Then, a self-stabilizing distributed protocol ensures 
that after a finite time (called the convergence or stabilization time), the distributed protocol 
recovers on his own a correct behavior (by convergence property) and keeps this correct behavior 
until there is no faults (by closure property). 

Definition 3 (Self-stabilization [8]). A distributed protocol tt is self-stabilizing for specification spec 
under a daemon d if starting from any arbitrary configuration every execution of d{'K) contains a 
configuration from which every execution of d{Ti) satisfies spec. 

For any self-stabilizing distributed protocol vr under a daemon d for a specification spec, its 
convergence (or stabilization) time (denoted by conv J:ime{'7r , d)) is the worst stabilization time 
(that is, the number of actions required to reach a configuration from which any execution satisfies 
spec) of executions of vr allowed by d. Note that, for any self-stabilizing distributed protocol vr 
under a daemon d, vr is self-stabilizing under any daemon d' such that d' =4 d and conv -time{7T , d') < 
convjtime^TT, d). 

3 Speculative Stabilization 

Intuitively, a speculative protocol ensures the correctness in a large set of executions but is optimized 
for some scenarios that are speculated to be more frequent (maybe at the price of worst performance 
in less frequent cases). 

Regarding self-stabilization, the most common measure of complexity is the stabilization time. 
Accordingly, we choose to define a speculatively stabilizing protocol as a self-stabilizing protocol 
under a given daemon that exhibits a significantly better stabilization time under a weaker daemon 
(the latter gathers scenarios that are speculated to be more frequent). We can now define our 
notion of speculative stabilization. 

Definition 4 (Speculative Stabilization). For two daemons d and d' satisfying d' ~< d, a distributed 
protocol vr is [d,d' , f) -speculatively stabilizing for specification spec if: {i) vr is self- stabilizing for 
spec under d; and (ii) f is a function on g satisfying convJime{n'S) ^ 

We restrict ourselves for two daemons here for the sake of clarity. We can easily extend this 
definition to an arbitrary number of daemons (as long as they are comparable). For instance, we 
can say that a distributed protocol vr is (d, di, ^2, /ii /2)-speculatively stabilizing (with di < d and 
d2 -< d) if it is both (d, (ii, /i)-speculatively stabilizing and (d, ^2, /2)-speculatively stabilizing. 

Still for the sake of simplicity, we say in the following that a distributed protocol vr is d- 
speculatively stabilizing for specification spec if there exists a daemon d ^ ud such that vr is 
(ud, d, /)-speculatively stabilizing for specification spec with / > 1. In other words, a d-speculatively 
stabilizing distributed protocol is self-stabilizing under the unfair distributed daemon (and hence 
always guarantees convergence) but is optimized for a given subclass of executions described by d. 

Examples. Although the idea of speculation approaches in self-stabilization has not been yet 
precisely defined, there exists some examples of self-stabilizing distributed protocols in the literature 
that turn out to be speculative. We survey some of them in the following. 

The seminal work of Dijkstra [8] introduced self-stabilization in the context of mutual exclusion. 
His celebrated protocol operates only on rings. It is in fact (nd, sd, g i— )• n)-speculatively stabilizing 
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since it stabilizes upon 0(n^) steps under the unfair distributed daemon and it is easy to see that 
it needs only n steps to stabilize under the synchronous daemon. The well-known min + 1 protocol 
of [T7j is [ud, sd, g i— )■ n^/(imm(g'))-speculatively stabilizing for BFS spanning tree construction. Its 
stabilization time is in G(n^) steps under the unfair distributed daemon while it is in Q{diam{g)) 
steps under the synchronous daemon. Another example is the self-stabilizing maximal matching 
protocol of [22j. This protocol is (nd, sd, g i— )• m/n)-speculatively stabilizing: its stabilization time is 
4n+2m (respectively 2n+l) steps under the unfair distributed (respectively synchronous) daemon. 



4 A new Mutual Exclusion Protocol 

Mutual exclusion was classically adopted as a benchmark in self-stabilization under various settings 
[H [20l [TH [5l [1] . Intuitively, it consists in ensuring that each vertex can enter infinitely often in 
critical section and there is never two vertices simultaneously in the critical section. Using such a 
distributed protocol, vertices can for example access shared resources without conflict. 

Our contribution in this context is a novel self-stabilizing distributed protocol for mutual exclu- 
sion under the unfair distributed daemon that moreover exhibits optimal convergence time under 
the synchronous daemon. Contrary to the Dijkstra's protocol, our protocol supports any underlying 
communication structure (we do not assume that the communication graph is reduced to a ring). 
Thanks to speculation, our protocol is ideal for environment in which we speculate that most of 
the executions are synchronous. 

We adopt the following specification of mutual exclusion. For each vertex v, we define a predicate 
privileged^ (over variables of v and possibly of its neighbors). We say that a vertex v is privileged in 
a configuration 7 if and only if privileged^ = true in 7. If a vertex v is privileged in a configuration 
7 and V is activated during an action (7,7'); then v executes its critical section during this action. 
We can now specify the mutual exclusion problem as follows. 

Specification 1 (Mutual exclusion specME)- An execution e satisfies specME if dt most one vertex 
is privileged in any configuration of e (safety) and any vertex infinitely often executes its critical 
section in e (liveness). 



The rest of this section is organized as follows. Section 4.1 overviews our protocol. Section 4.2 
proves the correctness of our protocol under the unfair distributed daemon. Section 4.3 analyzes 
its stabilization time under the synchronous and the unfair distributed daemon. 



4.1 Speculatively Stabilizing Mutual Exclusion 

As we restrict ourselves to deterministic protocols, we know by [4J that, to ensure mutual exclusion, 
we must assume a system with identities (that is, each vertex has a distinct identifier). Indeed, 
we know by [4J that the problem does not admit deterministic solution on uniform [i.e. without 
identifiers) rings of composite size. Without loss of generality, we assume that the set of identities 
(denoted by ID) is equals to {0, 1, . . . , n — 1} (if this assumption is not satisfied, it is easy to define 
a mapping of identities satisfying it). 

Our protocol is based upon an existing self-stabilizing distributed protocol for the asynchronous 
unison problem |12| |6]. This problem consists in ensuring, under the unfair distributed daemon, 
some synchronization guarantees on vertices' clocks. More precisely, each vertex has a register 
that contains a clock value. A clock is a bounded set enhanced with an incrementation function. 
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Intuitively, an asynchronous unison protocol ensures that the difference between neighbors' registers 
is bounded and that each register is infinitely often incremented. 

In the following, we give the definition of this problem and the solution proposed in [2J from 
which we derive our mutual exclusion protocol. 



Clock. A bounded clock X = (C, (j)) is a bounded set C = cherry{a, K) (parametrized with two 
integers q > 1 and K >2) enhanced with an incrementation function (p defined as follows. 



Let c be any integer. Denote by c the unique element in 
[0, . . . , -ftT — 1] such that c = c mod K. We define the dis- 
tance dxic-, c') = min{c — c/, c' — c} on [0, . . . , K — 1]. Two 
integers c and c' are said to be locally comparable if and 
only if dxicL, b) < 1. We then define the local order relation 

as follows: c c' if and only ifO<c' — c<l. Let us 
define cherry{a, K) = {—a, . . . , 0, . . . , — 1}. Let (f) be the 
function defined by: 



: c S cherry{a, K) i— )• 



(c+1) ifc<0 
(c + 1) mod K otherwise 







tC 


J: 







Figure 1: A bounded clock X 



The pair X = {cherry{a, K), cp) is called a bounded clock 
of initial value a and of size K (see Figure [l]). We say that a 

clock value c S c/ierry(a, i^) is incremented when this value , , / ,\ • , i 

, , 1 , / ^ . ^ ^, -if- (cherry (a, K), (p) with a = 5 and 

IS replaced by (p[c). A reset on X consists of an operation ^ 12 

replacing any value of cherry(a, K) \ {—a} by —a. Let 

initx = {—a, • • • , 0} and stabx = {0, . . . , K—1} be the set of 

initial values and correct values respectively. Let us denote init*^ = initx\{^}-, stah*^ = stahx\{Q}-, 
and <init the usual total order on initx- 



Asynchronous unison. Given a distributed system in which each vertex v has a register r^ taken 
a value of a bounded clock X = (C, (f)) with C = cherry {a, K), we define a legitimate configuration 
for asynchronous unison as a configuration satisfying: Vt> E Vn G neig{v), {r^ S stabx) A (r^j E 
stabx) A {dKifv^fu) < 1). In other words, a legitimate configuration is a configuration in which 
each clock value is a correct one and the drift between neighbors' registers is bounded by 1. We 
denote by Fi the set of legitimate configurations for asynchronous unison. Note that we have, for 
any configuration of Fi and any pair of vertices, {u, v), dx^ru, r^) < diam{g) by definition. We can 
now specify the problem. 

Specification 2 (Asynchronous unison specAu)- execution e satisfies specAu if every configu- 
ration of e belongs to Fi (safety) and the clock value of each vertex is infinitely often incremented 
in e (liveness). 

In [2j, the authors propose a self-stabilizing asynchronous unison distributed protocol in any 
anonymous distributed system under the unfair distributed daemon. The main idea of this protocol 
is to reset the clock value of each vertex that detects any local safety violation (that is, whenever 
some neighbor that has a not locally comparable clock value). Otherwise, a vertex is allowed to 
increment its clock (of initial or of correct value) only if this latter has locally the smallest value. 
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Algorithm 1 SSAi£: Mutual exclusion protocol for vertex v. 
Constants: 

idv € ID : identity of v 

n G N : number of vertices of the communication graph 

diam{g) € N : diameter of the communication graph 

X = {cherry{n, (2.n — \){diam{g) + 1) + 2), 0) : clock of v 

Variable: 

^ X : register of v 

Predicates: 

privileged^ = (r^ = 2.n + 2.diam{g).id^) 
correcty{u) = (r^, G stabx) A (r^ G stabx) A (dxirv^ru) < 1) 
allCorrecty = £ neig{v), correcty{u) 
normalStepv = allCorrectv A (Vu G neig{v),ry <i r^) 
convergeStepy = G init*p^ A Vti G neig{v), (r^ G mit;^:' A r„ <in«t 
resetlnitv = -^allCorrectv A (rj, ^ initx) 

Rules: 

A^A :: normalStep^ — > r^ := 4>{ry) 
CA :: convergeStepv — > r^ := (pir^) 
RA :: resetlnit^ — > r^ := —n 



The choice of parameters a and K are crucial. In particular, to make the protocol self-stabilizing 
for any anonymous communication graph g under the unfair distributed daemon, the parameters 
must satisfy a > hole{g) — 2 and K > cyclo{g), where hole{g) and cyclo{g) are two constants 
related to the topology of g. Namely, hole{g) is the length of a longest hole in g {i.e. the longest 
chordless cycle), if g contains a cycle, 2 otherwise. cyclo{g) is the cyclomatic characteristic of g 
{i.e. the length of the maximal cycle of the shortest maximal cycle basis of g), if g contains a cycle, 
2 otherwise. Actually, |2j shows that taking a > hole{g) — 2 ensures that the protocol recovers in 
finite time a configuration in Fi. Then, taking K > cyclo{g) ensures that each vertex increments 
its local clock infinitely often. Note that, by definition, hole{g) and cyclo{g) are bounded by n. 

The mutual exclusion protocol. The main idea behind our protocol is to execute the asyn- 
chronous unison of [2j, presented earlier, with a particular bounded clock and then to grant the 
privilege to a vertex only when its clock reaches some value. The clock size must be sufficiently 
large to ensure that at most one vertex is privileged in any configuration of Ti. If the definition 
of the predicate privileged guarantees this property, then the correctness of our mutual exclusion 
protocol follows from the one of the underlying asynchronous unison. 

More specifically, we choose a bounded clock X = {cherry{a,K),(p) with a = n and K = 
{2.n—l){diam{g) + l)+2 and we deRne privilegedy = (r^ = 2.n+2.diam{g).idy). In particular, note 
that we have : privileged^^ = {r^^ = 2.n) and privilegedv^_-^ = {r^^^-^ = {2.n — 2){diam{g) + l) + 2). 

Our distributed protocol, called SSM.S (for Speculatively Stabilizing A^utual (Exclusion), is 
described in Algorithm 1. Note that this protocol is identical to the one of |2] except for the size of 
the clock and the definition of the predicate privileged (that does not interfere with the protocol). 

We prove in the following that this protocol is self-stabilizing for specME under the unfair 
distributed daemon and exhibits the optimal convergence time under the synchronous one. In 
other words, we will prove that this protocol is sd-speculatively stabilizing for specME- 
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4.2 Correctness 

We prove here the self-stabihzation of SSA4S under the unfair distributed daemon. 

Theorem 1. SSM.8 is a self-stabilizing distributed protocol for specM e under ufd. 

Proof. As we choose a = n > hole{g) — 2 and K = (2.n — l){diam[g) + 1) + 2 > n > cyclo{g), 
the main result of [2j allows us to deduce that SSM.£ is a self-stabilizing distributed protocol for 
specAu under ufd (recall that the predicate privileged does not interfere with the protocol). By 
definition, this implies that there exists, for any execution e of SSAiS under ufd, a suffix e' reached 
in a finite time that satisfies specAu- 

Let 7 be a configuration of e' such a vertex v is privileged in 7. Then, by definition, we have 
Ty = 2.n + 2.diam{g).idv. As 7 belongs to e', we can deduce that 7 G Fi. Hence, for any vertex 
u £ V \ {v}, we have dK{ru-,ry) < diam{g). Then, by definition of the predicate prvileged, no 
other vertex than v can be privileged in 7. We can deduce that the safety of specME is satisfied 
on e'. The liveness of specME on e' follows from the one of specAu and from the definition of the 
predicate privileged. 

Hence, for any execution of SSA4£ under ufd, there exists a suffix reached in a finite time that 
satisfies specME, that proves the theorem. □ 

4.3 Time Complexities 

This section analyses the time complexity of our self-stabilizing mutual exclusion protocol. In 
particular, we provide an upper bound of its stabilization time under the synchronous daemon (see 
Theorem [2]) and under the unfair distributed daemon (see Theorem [3]). 

Synchronous daemon. We first focus on the stabilization time of SSAiS under the synchronous 
daemon. We need to introduce some notations and definitions. 

From now, e = (70, 7i) (71, 72) • • • denotes a synchronous execution of SSAiS starting from an 
arbitrary configuration 79. For a configuration 7,, and a vertex v, r* denotes the value of r^ in 7^. 

Definition 5 (Island). In a configuration ji, an island I is a maximal (w.r.t. inclusion) set of 
vertices such that I and \/{u,v) £ I,u G neig{v) =^ correcty[u). A zero-island is an island 
such that 3f S /, r* = 0. A non- zero-island is an island such that G I, r* 7^ 0. 

Note that any vertex v that satisfies r„ G stahx in a configuration 7 ^ Fi belongs by definition 
to an island (either a zero-island or a non-zero-island) in 7. 

Definition 6 (Border and depth of an island). In a configuration 7^ that contains an island / 7^ 0, 
the border of I (denoted by border{I)) is defined by border{I) = {v G I\3u G V \ I,u £ neig{v)} 
and the depth of I (denoted by depth{I)) is defined by depth{I) = max{min{dist{g,v,u)\u G 
border {I)}\v G /}. 

Then, we have to prove a set of preliminaries lemmas before stating our main theorem. 

Lemma 1. // a vertex v is privileged in a configuration ji (with <i < diam{g)), then v cannot 
execute rules CA and RA in e^. 
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Proof. As the result is obvious for i = 0, let 7^ (with < i < diam{g)) be a configuration such that 
a vertex v is privileged in 7j. Then, we have by definition that r* = 2.n + 2.diam{g).idv 

By contradiction, assume that v executes at least once rule CAoi RA in Cj. Let j be the biggest 
integer such that v executes rule CA or RA during action (7j,7j_|_i) with j < i. 

Assume that v executes rule RA during (7j,7j-|_i). Then, we have ri'^^ = —n. From this point, 
only rule CA may be enabled at v but v does not execute it by construction of j. Then, we can 
deduce that rl = —n that is contradictory. 

Hence, we know that v executes rule CA during (7^,7^+1). Consequently, we have ri~^^ E initx 
by construction of the rule. As v can only execute rule NA between jj+i and 7j by construction 
of j, we can deduce that r* G initx U {0, . . . , + i — (j + 1)}. As + i — + 1) < diam{g), this 
contradiction proves the result. □ 

Lemma 2. // a vertex v is privileged in a configuration (with <i < diam(g)), then v cannot 
belong to a zero-island in any configuration of Ci. 

Proof. Let 7j (with < i < diam[g)) be a configuration such that a vertex v is privileged in 7^. 
Then, we have by definition that = 2.n + 2.diam{g).idy. 

By contradiction, assume that there exists some configurations of Cj such that v belongs to a 
zero-island. Let j be the biggest integer such that v belongs to a zero- island / in 7^ with j < i. 

By definition of a zero-island, we know that there exists a vertex n in / such that = 0. As 
dist(g, u, v) < diam[g) and u and v belongs to the same island in 7-,-, we have dxiri,, ri) < diam{g). 
By construction of the clock, we have so ri G {(2.n — 2){diam{g) + 1) + 3, . . . , 0, . . . , diam{g)}. 

By Lemma [T| we know that v may execute only rule NA between 7^ and 7^. Then, we have 
rj, e {(2.n — 2){diam{g) + 1) + 3, . . . , 0, . . . , diam{g) + {i — j)}- As diam{g) + {i — j) < 2.diam{g), 

V cannot be privileged in 7j (whatever is its identity). This contradiction proves the result. □ 

Lemma 3. // a vertex v belongs to a non-zero-island of depth k > in a configuration 'ji (with 
< i < diam{g) ), then v belongs either to a non- zero-island of depth greater or equals to k or 
to a zero-island in 7i-i. 

Proof. Let 7^ (with < i < diam{g)) be a configuration such that a vertex v belongs to a non- 
zero-island / of depth A; > in 7j. 

Assume that v does not belongs to any island in 7i-i. In other words, we have r*~^ G init*^. 
Consequently, v may only execute rule CA during action (7j_i,7j) and we have r* E initx- This 
means that v either belongs to a zero- island or does not belong to any island in 7^. This contradiction 
shows us that v belongs to an island in 7i_i. 

If V belongs to a zero-island in 7j_i, we have the result. Otherwise, assume by contradiction 
that V belongs to a non-zero island /' such that depth{I') <k'm. ji-i. By definition of a non-zero- 
island, all vertices of border(I') are enabled by rule RA in 7i_i. As we consider a synchronous 
execution, we obtain that / (the non-zero-island that contains v in 7^) satisfies depth{I) < k. This 
contradiction shows the lemma. □ 

Lemma 4. // 70 ^ Ti, then any vertex v satisfies r^^""^^^^ g initx U {(2.n — 2){diam{g) + 1) + 
3, . . . , 0, . . . , 2.diani{g) — 1}. 

Proof. Assume that 70 ^ Ti. Then, by definition of Fi and by the construction of the protocol, we 
know that there exists a set 7^ C 1/ such that vertices of V are enabled by rule RA in 70. Let 

V be an arbitrary vertex of V. 
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If V executes at least once the rule RA during ediam{g) , let i be the biggest integer such that v 
executes rule RA during (7^, 7j+i) with i < diam{g). Then, we have r*+^ = —n. As diam{g) — (i + 
1) < n, we can deduce that V may execute only rule C A between 7i snd ^ciiam{g) ■ 

Consequently, 

1 diamlq) ^ ■ .. 

we have r„ S initx- 

If V executes at least once the rule CA but never executes rule RA during ediam{g)-, let i be the 
biggest integer such that v executes rule CA during (74, 74+1) with i < diam{g). Then, we have 
r*+^ G initx- By construction of i, we can deduce that v may execute only rule NA between 7j 
and '^diam(g)- diam{g) — {i + 1) < diam{g), we have rt^"""^^^^ g initx U {0, . . . , diam{g) — 1}. 

Otherwise {v executes only rule A'"^ during ediam{g))j let i be the integer defined by i = 
min{dist{g , V , v')\v' € V'}. Note that < i < diam{g) by construction (recall that v ^ V). We can 
deduce that v belongs to a zero-island in 7^ (otherwise, v executes rule RA or CA during (74, 7i+i)). 
By definition of a zero-island, we have then r* G {(2.n — 2){diam{g) -|- 1) -|- 3, . . . , 0, . . . diam{g)}. 
As w may execute only rule NA between 7^ and ^diam{g) diam{g) — i< diam{g), we can deduce 



that r 



diam{g) 



G {(2.n - 2){diam{g) + I) + 3, . . . ,0, . . . , 2.diam{g) - 1}. 



□ 



Theorem 2. conv_time{SSM£ , sd) < 



diam(g) 
2 



This means that there 



Proof. By contradiction, assume that conv-time{SSAi£ , sd) > 
exists a configuration 70 such that the synchronous execution e = (70, 7i)(7i, 72) • • • of SSAiS 



diam{g) 
2 



satisfies: there exists an integer i > 



diain{g) 
2 



and two vertices u and v such that u and v are 



simultaneously privileged in 7j. Let us study the following cases (note that they are exhaustive): 



Case 1: 



diam(g) 



< i < diam{g) 

By Lemma [l| we know that u may execute only rule NA in Cj. This implies that Vj < i,rt S 
stabx and then dK{r'l^,r^) < i- By the same way, we can prove that (ix(r*,rj]) < i. 

If n is privileged in 7^, this means that S stabx and dft'(rjj,0) > diam{g). As u and t> 
are simultaneously privileged in 7j, we have by definition that dxirl^jrl) > diam(g). This 
implies that 7^ ^ Fi and that u belongs to a non-zero-island / such that depth{I) > 1 in 7j. 
By recursive application of Lemmas [2] and 3j we deduce that u belongs to a non-zero-island 
I' such that depth{I') >i + l> ^^^^ + 1 in 70- The same property holds for v. As 

dist{g,u,v) < diam{g), we can deduce that u and v belongs to the same non-zero-island in 
7o, that allows us to state (i/^(r|J,r^) < diam{g). 

Without loss of generality, assume that idu < idv Let us now distinguish the following cases: 

If idy — idu > 2, as u and v are simultaneously privileged in 7^, we have dKir^i^v) ^ 
2.n + diam{g) + 1 (if idu = n — 1 and idy = 0) or dK{ru,rl) > A.diam{g) (otherwise). Note 
that in both cases, we have dxiru, r^) > 3.diam{g). Recall that dx is a distance. In particular, 
it must satisfy the triangular inequality. Then, we have dxifu, ) < dxirl^, ru) + dK{ru, r^) + 
dft:(r2,r*). By previous result, we obtain that dK{ru,rl) < diani{g) + 2.i < 3.diam{g), that 
is contradictory. 

If idu — idu = li by construction of 7^, we have = 2.n + 2.diam(g).idu > and r* = 



2.n + 2.diam{g). (idu + 1). Then, we obtain r* - 
fu ^ ^u < '''v ^ '''v- Then, we can deduce from r* 



2.diam{g). Hence, we have < 
= 2.diam{g) and rj^ — r° > that 
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— — '^■diani{g). On the other hand, previous results show us that — < diam{g) 
and r\ — < diam{g). It fohows r* — < 2.diam{g), that is contradictory. 

Case 2: diam[g) < i < 2.n + diam{g) 

As u and v are simultaneously privileged in 7^, we have by definition that dK{rl^,rl) > 
diam[g). This implies that 7^ ^ Fi and then 70 ^ Fi (otherwise, we obtain a contradiction 
with the closure of specAu)- 

By Lemma |4| for any vertex ^<^"-"^i9) ^ initx U {(2.n — 2){diam{g) + 1) + 
3, . . . , 0, . . . , 2.diam{g) — 1}. As w may execute at most i — diam{g) < 2.n actions between 
ldiam{g) ^'^'^ lii Can deduce that G initx U {(2.n — 2){diam{g) + 1) + 3, . . . , 0, . . . , 2.n + 
2.diam{g) — 1} for any vertex w. 

By construction of the clock and the definition of the predicate privileged, we can conclude 
that there is at most one privileged vertex (the one with identity 0) in 7^, that is contradictory. 

Case 3: z > 2.n + diam{g) 

By [3], we know that SSJv[£ stabilizes to specAu in at most a + lcp{g) +diam{g) steps under 
the synchronous daemon where lcp{g) denotes the length of the longest elementary chordless 
path of g. As we have a = n by construction and lcp{g) < n by definition, we can deduce that 
SSAiS stabilizes to specAu in at most 2.n + diam{g) steps under the synchronous daemon. 

In particular, this implies that 7^ E Fi. Then, using proof of Theorem [T} we obtain a 
contradiction with the fact that u and v are simultaneously privileged in 7j. 



We thus obtain that conv jtime{SS M.S , sd) < 



diam{g) 



□ 



Unfair distributed daemon. We now interested in the stabilization time of our mutual exclu- 
sion protocol under the unfair distributed daemon. Using a previous result from |7j, we have the 
following upper bound: 

Theorem 3. conv_time{SSA4£,ufd) £ 0{diam[g).rfi) 

Proof. Remind that the stabilization time of SSM£ for specAu is an upper bound for the one for 
specME whatever the daemon is. The step complexity of this protocol is tricky to exactly compute. 
As the best of our knowledge, fj\ provides the best known upper bound on this step complexity. 

The main result of [7j is to prove that SSAi£ stabilizes in at most 2.diam(g).n^ + (q + l).n^ + 
(a — 2.diam{g)).n steps under ufd. Since we chose a = n, we have the result. □ 



5 Synchronous Lower Bound 

We prove here a lower bound on the stabilization time of mutual exclusion under a synchronous 
daemon, showing hereby that our speculatively stabilizing protocol presented in Section |4.1| is in 
this sense optimal. We introduce some definitions and a lemma. 

Definition 7 (Local state). Given a configuration 7, a vertex v and an integer < k < diam{g), 
the k-local state of v in 'y (denoted by ^v,k) is the configuration of the communication subgraph 
g' = {V',E') induced by V = {v' G V\distlg,v,v') < k} defined by W G V',-fv,k{v') = tK)- 
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Note that 7„^o = li'v) by definition. 

Definition 8 (Restriction of an execution). Given an execution e = (70, 7i) (71, 72) • • • o^nd a vertex 
V, the restriction of e to v (denoted by Cy) is defined by = {'^q{v)^'^i{v)){'^i{v),^2{v)) ■ ■ ■■ 

Lemma 5. For any self-stabilizing distributed protocol tt for specME under the synchronous daemon 
and any pair of configuration (7, 7') such that there exists a vertex v and an integer 1 < k < diam{g) 
satisfying 7^^^. =7^;., the restrictions to v of the prefixes of length k of executions of vr starting 
respectively from 7 and 7' are equals. 

Proof. Let vr be a self-stabilizing distributed protocol for specME under the synchronous daemon 
and (7, 7') two configurations such that there exists a vertex v and an integer 1 < A; < diam{g) 
satisfying 7^,^^ = 7^- We denote by e = (7, 7i)(7i> 72) • • • (respectively e' = (7', 7i)(7i, 72) • • •) the 
synchronous execution of vr starting from 7 (respectively 7'). We are going to prove the lemma by 
induction on k. 

For k = 1, we have 7„^i = 7^, 1, that is the state of v and of its neighbors are identical in 7 and 
7'. As the daemon is synchronous, we have (ei)^ = (e'^)^,, that implies the result. 

For A; > 1 , assume that the lemma is true for k — 1. The induction assumption and the synchrony 
of the daemon allows us to deduce that {ek-i)v = and Vu G neig{v), {ek-i)u = (efc-i)^- 

Hence, we have {'yk-i)v,i = (7fc_i)D,i- Then, by the same argument than in the case A; = 1, we 
deduce that (7fc)«,o = (7fc)ii,0) that implies the result. □ 

Theorem 4. Any self-stabilizing distributed protocol vr for specME satisfies conv ^time^n , sd) > 

diam{g) 
2 

Proof. By contradiction, assume that there exists a self-stabilizing distributed protocol vr for 



diam(g) 



For the sake of notation, let us denote t 



specME such that conv _time{'iT , sd) < 
conv jtime{7r , sd). 

Given an arbitrary communication graph g, choose two vertices u and v such that dist{g, u, v) = 
diam{g) and an arbitrary configuration 79. Denote by e = (70, 7i)(7i, 72) • • • the synchronous 
execution of tt starting from 70. 

By definition, e contains an infinite suffix in which u (respectively v) executes infinitely often 
its critical section. Hence, there exists a configuration 7^ (respectively 7j) such that u (respectively 
v) is privileged in 7^ (respectively 7j) and i > t (respectively j > t). 



As t < 



diam{g) 



-2 — and di,st{g, u, v) = diam{g), there exists at least one configuration 7q such that 

{'y'o)u,t = {li^t)u,t and (7o)i,,t = {lj-t)v,t- Let e' = (7o, 7i)(7l, 72) • • • be the synchronous execution 
of vr starting from 7g. 

By Lemma [5| we can deduce that the restriction to u of the prefix of length t of e' is the same 
as the one of the suffix of e starting from 7i_t. In particular, u is privileged in 7^. By the same 
way, we know that v is privileged in 7^. This contradiction leads to the result. □ 



6 Conclusion 

This paper studies for the first time the notion of speculation in self-stabilization. As the main 
measure in this context is the stabilization time, we naturally consider that a speculatively stabi- 
lizing protocol is a self-stabilizing protocol for a given adversary that exhibits moreover a better 
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stabilization time under another (and weaker) adversary. This weaker adversary captures a subset 
of most probable executions for which the protocol is optimized. 

To illustrate this approach, we consider the seminal problem of Dijkstra on self-stabilization: 
mutual exclusion. We provide a new self-stabilizing mutual exclusion protocol. We prove then that 
this protocol has an optimal stabilization time in synchronous executions. 

Our paper opens a new path of research in self-stabilization by considering the stabilization 
time of a protocol as a function of the adversary and not as a single value. As a continuation, 
one could naturally apply our new notion of speculative stabilization to other classical problems of 
distributed computing and provide speculative protocols for other adversaries than the synchronous 
one. It may also be interesting to study a composition tool that automatically ensures speculative 
stabilization. 
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